1*1 


Defence Research and Recherche et developpement 
Development Canada pour la defense Canada 


DEFENCE 



Investigation of a Neural Network 
Implementation of a TCP Packet Anomaly 
Detection System 


M. Dondo and J. Treurniet 


Defence R&D Canada - Ottawa 

TECHNICAL MEMORANDUM 
DRDC Ottawa TM 2004-208 
May 2004 


Canada 


Report Documentation Page 


Form Approved 
OMB No. 0704-0188 


Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, 
including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington 
VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it 
does not display a currently valid OMB control number. 


1. REPORT DATE 

MAY 2004 


2. REPORT TYPE 


3. DATES COVERED 


5a. CONTRACT NUMBER 


5b. GRANT NUMBER 


5c. PROGRAM ELEMENT NUMBER 


5d. PROJECT NUMBER 


5e. TASK NUMBER 


5f. WORK UNIT NUMBER 


4. TITLE AND SUBTITLE 

Investigation of a Neural Network Implementation of a TCP Packet 
Anomaly Detection System (U) 

6. AUTHOR(S) 


7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION 

Defence R&D Canada -Ottawa,3701 Carling Ave,Ottawa report number 

Ontario,CA,K1A 0Z4 

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR'S ACRONYM(S) 

11. SPONSOR/MONITOR'S REPORT 
NUMBER(S) 

12. DISTRIBUTION/AVAILABILITY STATEMENT 

Approved for public release; distribution unlimited 

13. SUPPLEMENTARY NOTES 

The original document contains color images. 

14. ABSTRACT 

We present the design and implementation of an artificial neural network (ANN) system of multi-layer 
perceptron classifiers to detect suspicious TCP traffic at a single packet level. The advantage to using 
ANNs for the detection of attacks is that they do not only rely on attack signatures, as in many common 
signature-based IDSs. Rather they are capable of learning broader definitions of attack attributes. The use 
of ANNs in this approach also enhances the processing speed where real-time applications require the 
processing of substantial amounts of data at high speeds. The ANN model was tested on labelled sets of 
attack data obtained from the DARPA IDS Evaluation. The model was successful in detecting a variety of 
attacks, including denial of service attacks, probing activity and other suspicious activity. Future work will 
examine the application of an ANN to sequences of related packets to detect attacks. 


15. SUBJECT TERMS 


16. SECURITY CLASSIFICATION OF: 


a. REPORT 

unclassified 


b. ABSTRACT 

unclassified 


c. THIS PAGE 

unclassified 


17. LIMITATION OF 

18. NUMBER 

ABSTRACT 

OF PAGES 


60 


19a. NAME OF 
RESPONSIBLE PERSON 


Standard Form 298 (Rev. 8-98) 

Prescribed by ANSI Std Z39-18 





Investigation of a Neural Network 
Implementation of a TCP Packet Anomaly 
Detection System 

M. Dondo 
J. Treurniet 


Defence R&D Canada - Ottawa 

Technical Memorandum 
DRDC Ottawa TM 2004-208 
May 2004 



© Her Majesty the Queen as represented by the Minister of National Defence, 2004 
© Sa majeste la reine, representee par le ministre de la Defense nationale, 2004 



Abstract 


We present the design and implementation of an artificial neural network (ANN) 
system of multi-layer perceptron classifiers to detect suspicious TCP traffic at a 
single packet level. The advantage to using ANNs for the detection of attacks is 
that they do not only rely on attack signatures, as in many common signature- 
based IDSs. Rather they are capable of learning broader definitions of attack at¬ 
tributes. The use of ANNs in this approach also enhances the processing speed 
where real-time applications require the processing of substantial amounts of data 
at high speeds. The ANN model was tested on labelled sets of attack data obtained 
from the DARPA IDS Evaluation. The model was successful in detecting a variety 
of attacks, including denial of service attacks, probing activity and other suspicious 
activity. Future work will examine the application of an ANN to sequences of re¬ 
lated packets to detect attacks. 


Resume 


Nous exposons ici la conception et la mise en oeuvre d’un reseau de neurones ar- 
tificiel (ANN) forme de classificateurs de perceptrons qui decelent du trafic TCP 
suspect au niveau d’un simple paquet. L’avantage de recourir a des reseaux ANN 
pour la detection des attaques tient au fait qu’ils ne reposent pas exclusivement sur 
les signatures des attaques, comme les systemes IDS courants a base de signature. 
Au contraire, ils sont capables d’apprendre des definitions plus larges des attributs 
des attaques. Les reseaux ANN utilises dans cette approche accelerent la vitesse de 
traitement surtout pour les applications en temps reel qui exigent le traitement de 
grandes quantites de donnees a haute vitesse. Le modele ANN a ete teste sur les jeux 
etiquetes de donnees pirates obtenues de revaluation IDS de la DARPA. Le modele 
a bien reussi a detecter un diversite d’attaques, y compris des denis de service, des 
activites de sondage et d’autres activites suspectes. Dans les travaux a venir, nous 
examinerons Tapplication d’un ANN a des sequences de paquets dependants dans 
l’espoir de reperer des attaques. 
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Executive summary 


The Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols 
are used by the majority of Internet data communications applications. This in¬ 
cludes the World Wide Web hypermedia system which uses HTTP (HyperText 
Transfer Protocol), as well as other common network protocols such as FTP (File 
Transfer Protocol), SMTP (Simple Mail Transfer Protocol) and Telnet. The wide¬ 
spread use of TCP means that it is likely to be exploited for misuse and various 
forms of attacks. Malicious behaviour can be perpetrated through the TCP/IP pro¬ 
tocols without being blocked by firewalls or detection by intrusion detection sys¬ 
tems (IDS) because commonly-used IDSs don’t have the ability to recognize new 
variations of attacks. 

Artificial neural networks (ANNs) are capable of learning from previously observed 
patterns and scenarios. Unlike existing approaches [1], ANN models are capable 
of classifying large amounts of data without significant computational effort, thus 
making them suitable for real-time applications. They are easily scalable, and are 
capable of handling large amounts of data without compromising computational 
speed [2,3]. An ANN anomaly detector would be suitable for operational deploy¬ 
ment behind the firewall in order to catch what the firewall failed to block. It may 
also be implemented as a host-based IDS. 

In this work, an ANN model was developed that is capable of detecting variations 
from normal TCP traffic. The attributes of normal and abnormal communication 
within TCP packets were observed, and the attributes that signify attack and misuse 
were determined. These attributes were then used in designing and implementing 
an ANN model capable of automatically classifying and identifying some network- 
based intrusions at a packet-by-packet level. 

The model was applied to the 1999 Defence Advanced Research Projects Agency 
(DARPA) IDS evaluation data collected by the Lincoln Laboratories at MIT. Of 
the documented attacks in the DARPA 1999 data, the model was successful in de¬ 
tecting scanning, denial of service and other attack attempts. The flexibility of the 
model’s classifiers was also successfully demonstrated through the use of this data. 
The IP address classifier, which allows one to define IP domains whose access in¬ 
dicates some form of misuse, was modified and re-trained in the DARPA analysis 
to account for the simulation network’s use of private IP address spaces. 

This ANN model handles individual packets, but it is only a first step in the investi¬ 
gation of the application of ANNs to traffic analysis and anomaly detection. Since 
there are a variety of attacks whose presence may only be determined through ob¬ 
serving multiple related packets, future research efforts will focus on enhancing 
the capabilities of this model to be able to detect malicious events and coordinated 
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attacks in a series of related packets. 


M. Dondo, J. Treurniet; 2004; Investigation of a Neural Network Implementation of 
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Sommaire 


La suite de protocoles TCP/IP (Transmission Control Protocol/Internet Protocol) 
se retrouve dans la majorite des applications de communication de donnees via In¬ 
ternet. Au nombre de ces applications, il y a le systeme hypermedia WWW qui 
fonctionne avec HTTP (HyperText Transfer Protocol), ainsi qu’avec d’autres pro¬ 
tocoles courants comme FTP (File Transfer Protocol), SMTP (Single Mail Transfer 
Protocol) et Telnet. L’etendue de la presence de TCP augmente le risque qu’on s’en 
serve pour des usages malveillants et diverses autres formes d’attaques. Les com- 
portements malveillants peuvent agir au travers des protocoles TCP/IP a Finsu des 
pare-feux et des systemes de detection des intrusions (IDS), parce que la plupart de 
ces IDS n’ont pas la capacite de reconnatre les nouvelles variantes d’attaque. 

Les reseaux de neurones artificiels (ANN) ont les capacites d’apprendre a partir 
de schemas et de scenarios deja observes. Contrairement aux approches existantes 
[1], les modeles ANN parviennent a classifier une grande quantite de donnees sans 
veritable travail de calcul, ce qui les rend tres bien adaptes aux applications en temps 
reel. Ils sont faciles a faire evoluer et peuvent se charger d’une quantite considerable 
de donnees sans qu’il y ait ralentissement des operations [2,3]. Etant donne que les 
techniques ANN ont en general une plus grande vitesse de calcul et peuvent deceler 
de nouvelles attaques sans Fintervention d’un operateur, un detecteur d’anomalies 
ANN devrait bien s’inserer dans le deployment operationnel derriere un pare-feu 
et capturer ce que le pare-feu a laisse passer. On peut aussi Fimplanter comme IDS 
dans un hte. 

Dans le present travail, on a mis au point un modele ANN en mesure de detecter 
des variations d’ecart par rapport au trafic normal Les attributs des communi¬ 
cations normales et anormales dans des paquets TCP sont observes, et ceux qui 
semblent correspondre a une attaque ou a une malveillance sont designes. Ces at¬ 
tributs servent ensuite a concevoir et a implanter un modele ANN pouvant automa- 
tiquement identifier et classifier certaines intrusions de reseau au niveau de chaque 
paquet. 

Ce modele a ete applique aux donnees devaluation 1999 du systeme IDS de la 
DARPA (Defence Advanced Research Projets Agency), donnees recueillies par les 
Lincoln Laboratories du MIT. De toutes les attaques decrites dans les donnees 1999 
de la DARPA, le modele est parvenu a analyser les denis de service et d’autres 
tentatives de piratage. La souplesse des clas silicateurs du modele a ete demontree 
sans Fombre d’un doute. Le classificateur d’adresses IP, qui permet de specifier 
des domaines IP dont Faeces laisse presumer une certaine forme de malveillance, a 
ete modifie et remis en apprentissage dans F analyse DARPA pour tenir compte de 
Futilisation par le reseau de simulation d’espaces d’adresses IP prives. 
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Ce modele ANN gere aujourd’hui des paquets individuels, mais ce n’est qu’une 
premiere etape de 1’etude de la mise en oeuvre de reseaux ANN pour analyser le 
trafic et detecter des anomalies. Comme il existe une grande diversite d’attaques 
dont la presence n’est souvent reperable qu’en observant plusieurs paquets relies, 
les prochains travaux de recherche seront axes sur 1’amelioration des capacites de 
ce modele a detecter des evenements malveillants et des attaques coordonnees dans 
une serie de paquets relies. 


M. Dondo, J. Treurniet; 2004; Investigation of a Neural Network Implementation of 
a TCP Packet Anomaly Detection System; DRDC Ottawa TM 2004-208; R&D pour 
la defense Canada - Ottawa. 
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1 Introduction 


There are two forms of intrusion detection systems(IDS): misuse detection and 
anomaly detection. Misuse detection IDSs use signatures to detect intrusion at¬ 
tempts [4,5]. They are effective in identifying known attacks, however they lack 
the ability to generalize attack signatures and protect the network from slightly 
modified versions of known network attacks. Anomaly detection techniques detect 
behaviour that is not considered to be normal and may detect such attacks, however 
they are generally not trusted as they are considered to have a high degree of false 
positives. Moreover, these systems require periodic on-line training which can be 
undermined by incorporating undesired behaviour into the training data [5,6]. 

Researchers have applied numerous approaches to the detection of anomalies, in¬ 
cluding: statistical, fuzzy systems, genetic algorithms, modular programming and 
Artificial Neural Network (ANN) approaches [1]. There is significant interest in 
applying ANN methods to IDSs at all levels (host, application and network) [2,5, 
7-12], due to the advantages of ANNs over other approaches. 

The number of packets that must be processed in a very short period of time presents 
a challenge. ANNs are well-known for having fast response times, which makes 
them suitable for real-time applications where conventional approaches would not 
produce comparable results at similar speeds [13,14]. Genetic algorithms and fuzzy 
systems are some of the latest research areas to intrusion detection. Used on their 
own, it has been shown that they cannot match the speed, scalability, and precision 
of ANNs [13-16]. 

Neural networks are easily scalable [3]; a change in the problem definition can be 
easily implemented by changing the number of nodes in the ANN model. Unlike 
conventional algorithms that require substantial algorithm rework when the prob¬ 
lem changes, ANNs can be easily scaled at low additional cost [3]. Once trained, 
ANNs do not need retraining unless the problem definition changes. Statistical ap¬ 
proaches usually depend on the underlying behavioural distributions such as Gaus¬ 
sian distribution; ANNs do not make prior assumptions about the data they han¬ 
dle [3], 

Over 90% of Internet traffic has been shown to use the Transmission Control Pro¬ 
tocol (TCP) [17]. Because of its widespread use and its impressive growth [17,18], 
we have chosen to focus our efforts on the detection of anomalous behaviour within 
TCP traffic. This paper presents the results of the first stage of a larger research 
program, where a multi-classifier feedforward ANN is used to identify anoma¬ 
lies within individual TCP packets. In a real-time scenario, this is equivalent to 
analysing each packet as it arrives at the sensor. The ANN is trained using the 
backpropagation training algorithm, and used to generalize from previously ob- 
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served TCP traffic header attributes and to extrapolate beyond the training space 
provided. A backpropagation algorithm was used because it is easy to configure 
and train. This algorithm has been successfully used in other intrusion detection 
research [12]. 

One challenge for ANN IDSs is their ability to identify the source (or type) of an 
attack [1]. In this work, this challenge is addressed by breaking down the attributes 
of a packet and using multiple classifiers, identifying the classifier that triggered an 
alert. 

This paper is organised into 6 sections. In Section 2, we give an overview of the 
TCP protocol and an introduction to ANNs. In Section 3 we examine the attributes 
of TCP/IP packets whose values may indicate anomalous behaviour and describe 
how these attributes may be used to detect misuse. We then define the ANN model 
and form the classifiers that will be used. In Section 4 we show how the ANN is 
implemented, and in Section 5 we present the results of the model applied to the 
DARPA 1999 IDS Evaluation Data [19]. We discuss the results and conclude in 
Section 6. 
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2 Background Theory 


A summary of the TCP protocol and ANNs as applied to this work are presented. 
Detailed discussions of these topics are available in most of the standard litera¬ 
ture [2,20]. 


2.1 Transport Control Protocol 

The TCP protocol is a connection-oriented protocol that enables the reliable trans¬ 
mission of Internet application traffic. Some of the applications that utilize TCP/IP 
include HTTP) Hypertext Transfer Protocol), FTPfFile Transfer Protocol), Telnet, 
and SMTP(Simple Mail Transfer Protocol). Figure 1 shows the layers of the TCP/IP 
protocol suite [20] through which transmitted data passes, in this case on an Ether¬ 
net network. When an application sends data, it originates at the application layer, 


Application Layer ' 



Data 


Transport Layer 

TCP Data 


Network Layer 

IP TCP Data 


r 

Network Interface Layer 

Ethernet IP TCP Data 1 






Figure 1: Illustration of the TCP data transfer encapsulation process. 


then goes to the transport layer, then the network layer, and finally the network 
interface layer. At each layer, the data is encapsulated with a header containing 
information about that layer. When the packet is received by a host, the headers are 
stripped off as the data makes its way from the network interface layer to the ap¬ 
plication layer. This process is defined in RFC 894 [21]. The TCP and IP protocol 
headers [20,22] are shown in Figure 2. 

The TCP header contains information that is important to the establishment of a 
reliable connection. The sequence and acknowledgement numbers provide unique 
identifiers of the connection to the client and server, and provide confirmation that 
data was received. TCP flags are used to control the state of the TCP connection. 
Table 1 shows the TCP flags, two of which (ECE and CWR) were originally re- 


DRDC Ottawa TM 2004-208 


3 















IP Header 


Version “ 

length 

Type of Service 

Total length 

Identification 

Hags Fragment offset 

Time to Live 

Protocol 

Header checksum 

Source address 

Destination address 

Options (optional) 


TCP Header 


Source port 

Destination port 

Sequence Number 

Acknowledgement number 

Offset Reserved Flags 

Window 

Checksum 

Urgent pointer 

Options (optional) 


Figure 2: IP and TCP header layouts. 
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served (as shown in Figure 2), but are now being used to communicate congestion 
control capabilities as defined in RFC 3168 [23]. 


Table 1: Summary of the TCP session bit flags 


Flag 

Meaning 

ECE 1 

ECN-Echo 

CWR 1 

Congestion window reduced 

URG 

Urgent data 

ACK 

Valid acknowledgement 

PSH 

Push request 

RST 

Reset session 

SYN 

Synchronize sequence number 

FIN 

Final data 


A typical TCP session for the transfer of data is shown in Figure 3. Before any data 
exchange takes place, the client and server must complete a three-way handshake. 
A sample handshake, captured by tcpdump [24], is shown below with the timestamp 
removed: 


XX.xy.yz.1.48628 > xa.xb.xc.169.80: S 2914302952:2914302952(0) win 64240 <mss 1460> (DF) 

xa.xb.xc.169.80 > xx.xy.yz.1.48628: S 407888030:407888030(0) ack 2914302953 win 32120 <mss 1460> (DF) 

xx.xy.yz.1.48628 > xa.xb.xc.169.80: . ack 407888031 win 0 


A connection exists when the handshake is complete, at which point data may be 

exchanged. 

In summary, a TCP connection progresses as follows when the server initiates a 

clean tear-down [20,25,26]: 

1. Client sends a SYN packet with sequence number J. 

2. Server receives the SYN packet and sends its own SYN packet with a sequence 
number K. At the same time it acknowledges the client’s SYN packet by 
sending an acknowledgement (ACK) packet with an acknowledgement num¬ 
ber J + 1. 

3. The client acknowledges the server’s SYN packet by sending an ACK packet 
with a acknowledgement number K + 1. This establishes a full connection. 
The three-way handshake is complete and the client can then transmit data to 
the server. 

4. The client and server exchange data, each sending an acknowledgement when 
data is received. 

'Reserved bits. 
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Client 


Server 



Figure 3: TCP data packet exchange and data transfer. 


5. The server closes the connection by transmitting a FIN packet with sequence 
number M. 

6. The client acknowledges the FIN packet with an ACK whose acknowledgement 
number is M + l(assuming no data transmitted). If D bytes of data are trans¬ 
mitted, then the acknowledgement number is M + 1 + D. The server may still 
send more data. The client closes the connection by transmitting its own FIN 
packet with sequence number N. 

7. Finally the server transmits an ACK packet with sequence number N + 1. That 
terminates the connection. 

Either party may initiate termination of the connection, and the termination may 
not be as graceful as shown above. The connection may be terminated at any time 
by resetting it with a TCP RST packet. 

2.2 Artificial Neural Networks 

ANN models attempt to emulate the human brain through the dense interconnec¬ 
tion of simple computational elements called neurons [27]. Each neuron is linked 
to some of its neighbours through synaptic connections of varying strengths. Learn¬ 
ing is accomplished by continuously adjusting these connection strengths (weights) 


6 


DRDC Ottawa TM 2004-208 



until the overall network outputs the desired results. These weight adjustments are 
based on mathematical algorithms used in solving nonlinear optimization functions. 

2.2.1 The Neuron 

Similar to the biological nervous system, the basic computational element of an 
ANN is called the neuron or processing node. The neuron model is based on highly 
simplified considerations of the biological neuron. A simple node is shown in Fig¬ 
ure 4, where N inputs are summed at the node. Each input u, is connected to the 



Figure 4: The basic neuron 


processing node through the synaptic connections, which are represented by con¬ 
nection strengths called weights Wi. A bias term 6 is also used at each node. The 
sum is fed through a transfer function /, called the activation function, to gener¬ 
ate the output o. The signal flow is considered unidirectional as indicated by the 
arrows. 

Although ANNs are constructed using this fundamental building block, there are 
significant differences in the architectures and driving fundamentals behind each 
ANN model. 

2.2.2 The Activation Function 

The activation function / plays a pivotal role in the functioning of the neuron. It 
determines the node output. As in Figure 4, the neuron output signal is given by: 

o = f (w T u) (1) 

where w is the weight vector defined as 

W = [ W\ W2 ■ ■ ■ Wn ] T 


DRDC Ottawa TM 2004-208 


7 



and the input vector u is defined as 

U = [ Ui u 2 ■ ■ ■ U N ] T 

There are many different types of activation functions / to choose from, depending 
on the application [2,27,28]. Some of the commonly used activation functions are 
shown in Figure 5. These activation functions are the hard-limiter , the threshold 
logic , and the sigmoid. Since real applications are usually modeled as continuous 
functions, the most commonly used continuous activation function is the sigmoid. 



Hard Limiter Threshold Logic Sigmoid 


Figure 5: Activation functions 


Activation functions may be either unipolar, for positive output, or bipolar for out¬ 
put that may be positive or negative. For example, the bipolar sigmoidal activation 
function is defined as: 

f( x ) = , 2 _ Ax -1 (2) 

1 + exp Aa: 

and the unipolar sigmoidal activation function is defined as 

f(x) = --t (3) 

1 + exp -Aa: 

where A is a constant. 


A special case of an ANN is a single node based on the neuron model shown in 
Figure 4 and is called a perceptron after the work of Rosenblatt [27]. A perceptron 
consists of one or more neurons. If a continuous activation function is used, the 
neuron model is known as a continuous perceptron. A continuous perceptron is 
capable of classifying linearly separable classes of data of the form ax+b. Multiple 
nodes in this format form a single layer multi-node ANN capable of classifying 
linearly separable data patterns. 
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2.2.3 Multi-Layer ANNs 


To emulate massively interconnected biological systems, ANNs have to be similarly 
interconnected. ANNs are the simple clustering of primitive artificial neurons. This 
clustering occurs by creating layers of neurons which are connected to one another. 
Figure 6 shows a multi-layer perceptron. An input layer interfaces with the outside 
world to receive inputs and an output layer provides the outside world with the 
network’s outputs. The rest of the neurons are hidden from view, and are called 
hidden layers. 


Hidden Layers 



0 \ 

02 


OL 


Figure 6: Multi-layer perceptron 

The objective of using a multi-layer perceptron is to be able to classify patterns 
that linear classifiers (single layer ANNs) are incapable of classifying. The most 
important attribute of multi-layer ANNs is that they can learn to classify a problem 
of any complexity. The biggest challenge is usually in deciding the number of 
hidden layers in an ANN. 

Zurada [2] gives an extensive discussion on the design of the number and size of 
hidden layers in a given architecture; nevertheless, trial and error methods have 
been widely used. If the number of hidden layers is too large, the ANN architecture 
will have problems generalizing; it will simply memorize the training set, making 
it useless for use with new data sets. 

Inter-layer connections within an ANN architecture can take the following forms 

[ 2 ]: 


• In a fully-connected ANN, each neuron on one layer is connected to every neu¬ 
ron on the next layer. 

• In a partially-connected ANN, a neuron on one layer does not have to be con¬ 
nected to all neurons on the next layer. 
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If signal flow direction is taken into consideration, these two architectures can be 
further refined: 

• In a feedforward ANN, the neurons on one layer send their output to the neurons 
in the next layer, but they do not receive any input back from the neurons in the 
next layer. 

• In a bi-directional ANN, the neurons on one layer may send their output to the 
next layer or the preceding layer, and the subsequent layers may also do the 
same. 

• In a hierarchical ANN connection, the neurons of a lower layer may only com¬ 
municate with neurons on the next level of layers. 

• In a resonance-connected ANN, the layers have bi-directional connections, and 
they can continue sending messages across the connections a number of times 
until previously defined conditions are achieved. 

In more sophisticated ANN structures the neurons communicate among themselves 
within a layer, this is known as intra-layer connections. These take the following 
two forms: 

• In fully- or partially-connected recurrent networks, neurons within a layer com¬ 
municate their outputs to neurons within the layer. This is done a number of 
times before they are allowed to send their outputs on to another layer. 

• In on-center/off-surround ANNs, a neuron within a layer has excitatory connec¬ 
tions to itself and its neighbors, and has inhibitory connections to other neurons. 
The neurons exchange their output signals a number of times until a winner is 
found. The winner is allowed to update its and its members’ weights. 

The overall architecture of an ANN depends on the mappings required, the type of 
input patterns, and the learning rules to be used. 


2.2.4 ANN Training 

Similar to the brain, ANNs learn from experience by changing the ANN’s connec¬ 
tion weights until a solution is found. The learning ability of an ANN is determined 
by its architecture and by the algorithm chosen for training. The training meth¬ 
ods [27] fall into broad categories: 

• In unsupervised training , hidden neurons find an optimum operating point by 
themselves, without external influence. 


10 


DRDC Ottawa TM 2004-208 



• Supen’ised training requires that the network be given sample input and output 
patterns to learn. It is guided through the learning process until a satisfactory 
optimum operating point or a predefined threshold is reached. The most com¬ 
mon training termination criteria is by setting a training threshold. 

Backpropagation training is a form of supervised learning that has proven highly 
successful in training multi-layered ANNs. Information about errors is filtered back 
through the system and is used to adjust the connections between the layers, thus 
improving performance. 

ANNs can be trained on-line or off-line. In off-line training algorithms, its weights 
do not change after the successful completion of the initial training. This is the most 
common training approach; especially in supervised training. In on-line or real time 
learning, weights continuously change when the system is in operation [2]. 

2.2.5 Training Rules 

There is a wide variety of learning rules that are used with ANNs. Error mini¬ 
mization algorithms are used to determine the convergence levels when updating 
weights. In general, all ANN learning involves the iterative updating of the connec¬ 
tion weights until the desired convergence is achieved. Most training algorithms 
start by initializing the weights to 0 or very small random numbers. This weight 
update is given by: 

w fc+1 = w k - Aw k (4) 

Equation 4 is the ANN general learning rule [2]. The numerous learning rules, 
which are variations of this rule, only differ by the mathematical algorithms used to 
update the connection weights, or more specifically to calculate the value of Aw fc 
at each iteration k. Some of the common training rules are as follows: 

• In the Hebbian rule [2,28], the connection weight update Aw fc is proportional 
to the neuron’s output. This was the first ANN learning rule [27,29]. 

• The perceptron rule [27] updates the weights based on the difference between 
the desired output d and the actual neuron’s response o. 

• The delta learning rule [27,29] is based on the minimisation of the mean square 
error (MSE) as represented by the error function E, as shown in Equation 5. 

w A:+1 = w k — rj'VE (w fc ) (5) 

where q is a learning constant, and VE is the gradient of the error function E, 
defined by: 

E k = l -{d k -o k ) 2 (6) 
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The objective is to iterate Equation 5 until the error E approaches zero (or a 
preset threshold value). 

For an ANN with P training patterns, and K outputs, the root-mean square 
error (also known as the MSE [2]) is defined as: 


Errns 


PK 


\ 


I\ 


Opk ) ^ 


p= 1 fc=l 


(7) 


• The Widrow-Hoff [2,28] learning rule (sometimes called the Least Mean Square 
learning rule) is considered a special case of the delta learning rule in that the 
neuron output o is independent of the activation function /. 

• The most widely used supervised training approach which is derived from the 
Widrow-Hoff algorithm is the error backpropagation training algorithm. As 
the name implies, the error Aw fc is propagated back into the previous layers. 
This is done one layer at a time, until the first layer is reached. 

Consider an ANN with one hidden layer, K outputs, J hidden nodes, / inputs, 
and P training patterns. The output layer weights are adjusted as follows: 

w kj = w k j + pSokVj, for k = 1, • • •, K, j = 1, • • •, J (8) 

where q is a learning constant and the output error <5 ok is given by 

5ok = ^(dk ~ Ofc)(l - ol), fork = 1,2, ••• ,K (9) 

The weight update for the hidden layer is as follows: 

wji = wji + qSyjUi, for k = 1, • • •, K, i = 1, • • ■, I (10) 

where the output error <5 y j is given by 

1 K 

fiyj 2 (f 2/7) ^ ^ fook'Ulkj) fol j 1) 2, • • • , J (11) 

k =1 

The process is iteratively repeated until a preset threshold of the MSE (Equa¬ 
tion 7) is achieved. 
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3 Packet Anomaly Detection Approach 


In Section 3.1 we explore those TCP packet attributes that would enable an ANN 
classifier to identify normal and abnormal activity on a packet-by-packet basis. 
From these attributes, we form classifiers to be applied in the ANN in Section 3.2. 

In Section 3.3, we define the ANN model to be applied to this problem. 

3.1 Attributes 

A TCP packet can be characterised by the fields of the IP and TCP headers, shown 
in Figure 2. Some of the header field values are more indicative of an attack and 
misuse than others. In this section, we take a detailed look at how some of the 
attributes can be used to classify a packet as being suspicious. We also look at 
ways to combine these attributes in a way that would enhance our ability to detect 
a network anomaly by just looking at individual packets. 

3.1.1 IP Addresses 

Four byte IP addresses identify the source and destination of a packet. These at¬ 
tributes are used to identify suspicious IP addresses. Suspicious IP addresses are 
classified as follows: 

• IP source address is the same as IP destination address (land DoS attack). 

• IP address is a member of the private Internet address ranges, defined as 10.0.0.0/8, 
172.16.0.0/12, and 192.168.0.0/16. As well, the loopback address 127.0.0.1 can 
indicate misuse. 

• Source IP address is a broadcast or multicast address. TCP packets cannot be 
broadcast or multicast since a three way handshake is needed for communica¬ 
tion. 

This attribute can also be used to identify activity from “rogue” IP addresses associ¬ 
ated with previously-identified suspicious activities, or from prohibited IP domains 
such as well-known AOL Instant Messenger (AIM) servers. 

3.1.2 TCP Ports 

TCP requires the use of ports to make a connection. When a client initiates a 
connection with a server, the client generally uses an ephemeral (i.e. short-lived) 
port and the server generally uses a well-known port, however any service may 
technically be run on any port [20, 22]. The Internet Assigned Names Authority 
(LANA) defines the following port ranges [30]: 
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Well-known: ports 0-1023 

Registered: ports 1024-49151 

Dynamic and/or private: ports 49152-65535 


The ephemeral ports were at one time defined as ranging from 1024 to 5000, but 
have since changed to use the dynamic port range as defined above. 

The inclusion of the port attribute will reflect that a well-known port and an ephemeral 
port are almost always used in the TCP communications. Due to the variety of im¬ 
plementations of TCP, this model will generalize the ephemeral ports as the range 
1024-65535. Some types of port scans may be detected through this attribute, as 
well as trojans and distributed denial of service (DDoS) activity. 

This classifier will alert on packets with the following attributes: 

• Either source or destination port of 0 

• Both ports greater than 1023 

• Both ports less than or equal to 1023 

Port numbers and session flags form a set of aggregate attribute as discussed in 
Section 3.1.6 

3.1.3 TCP Sequence and Acknowledgement Numbers 

TCP uses 32-bit sequence numbers to order the data received. The sequence num¬ 
bers consist of the initial sequence number (ISN), which represents the session es¬ 
tablishment and an acknowledgement number [20]. In this model, we check to see 
if the sequence and acknowledgement numbers are valid. Sequence and acknowl¬ 
edgement numbers should be non-zero positive integers. Sequence and acknowl¬ 
edgement numbers together form an aggregate attribute, discussed in Section 3.1.6. 

3.1.4 TCP Session Flags 

The TCP flags of a given packet convey a message to the recipient. The valid 
combinations of the TCP flags listed in Table 1 and their meanings are shown in 
Table 2 [31]. Anything outside these combinations are viewed as suspicious. In 
addition, any use of the reserved bits [22] or a packet with no flags set (null ses¬ 
sion) are also viewed with suspicion. These are commonly used by attackers in OS 
fingerprinting. However, as per RFC 3168 [23] the reserved bits have now been pro¬ 
posed for use in TCP congestion control. Since explicit congestion control (ECN) 
is not yet an adopted standard (not all routers or network nodes implement it), alerts 
related to these bits should be treated with caution. 
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Table 2: Valid TCP flag-byte combinations. The listed flag bits are set. 


Flag Combinations 

Function 

SYN 

Request connection 

SYN/ACK 

Agree to open connection 

ACK, PSH/ACK, ACK/URG, 

PSH/ACK/URG 

Acknowledge receipt 

FIN/ACK, FIN/PSH/ACK, 

FIN/PSH/ACK/URG 

Request to close connection 

RST, RST/ACK, RST/PSH, RST/URG, 
RST/PSH/ACK, RST/PSH/URG, 
RST/ACK/URG, RST/PSH/ACK/URG 

Sever connection 


3.1.5 Payload Size 

The payload size of a TCP packet can be combined with other attributes to indicate 
anomalous activity, as listed in Section 3.1.6. 


3.1.6 Composite Attributes 

Other classifiers that identify anomalous activity must be built as a combination of 

the attributes described above. The following composite attributes are incorporated 

into the model: 

• The combination of only a SYN flag bit set and non-zero payload. 

• The combination of only a SYN flag bit set on a packet with a source port that 
is a well-known port number. This is a special case of the port attribute where 
we can include directionality. 

• The combination of RST and ACK bits set and non-zero payload. Note, how¬ 
ever, that some TCP implementations will attach a message stating the reason 
that a connection was tom down. 

• Acknowledgement and sequence numbers equal to zero and flags RST or RST/ACK 
not set. 


3.2 Classifiers 

For maximum efficiency of the model, it is beneficial to minimize the total number 
of classifiers. While the attributes listed in Section 3.1 could each be applied indi¬ 
vidually, resulting in 10 classifiers, it is preferable to group attributes. For example, 
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the TCP session flags may be grouped to train a single classifier. In this work, how¬ 
ever, it was established that instead of having classifiers for the individual set of 
attributes, we can combine the session flags with the payload size, and port number 
attributes. 

In Table 3, the four classifiers that form a complete set for detection of TCP anoma¬ 
lies are shown. The attributes associated with each classifier are listed along with 
the number of inputs to each ANN classifier. Note that the fourth classifier contains 
the source port attribute, but is not used. This is included to demonstrate the case 
where one might want to apply a policy denying a certain service from a particular 
IP address or range of addresses. 

Table 3: The ANN classifier configurations. SEQ is the TCP sequence number and 
ACK is the TCP acknowledgement number. 


Classifier 

Classifier Input Variables 

Anomalies 

Flags 

TCP flags 

TCP ports 

Payload size 

Bad flag combinations 

SYN with payload 

RST or RST/ACK with payload 
SYN with well-known source port 

Ports 

TCP ports 

Both ports > 1023 

Both ports < 1023 

Source or destination port 0 

Sequence 

TCP sequence number 

TCP acknowledgement number 
TCP flags (2 inputs) 

SEQ=ACK=0 and not R or RA 

IP 

IP addresses 

Private IP addresses 

Source IP same as destination IP 
Broadcast IP addresses 


The classifiers are modelled in this work such that attack data may trigger an alert 
in more than one classifier. However, if an anomalous packet raises an alert in 
one classifier, it does not necessarily mean that it will raise an alert in all the other 
classifiers. In some cases, there was more than one alert in a single packet. This 
would therefore trigger alerts from more than one classifier. 


3.3 The ANN Packet Anomaly Detection Model 

Because the network data we were dealing with in this work formed multiple ANN 
inputs and cannot be classified using a linear classifier (single-layer perceptron), 
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three-layer fully-connected feedforward ANNs were used. A hidden layer was re¬ 
quired due to the non-linear mapping between input and output. 

Each classifier is a three-layer feedforward perceptron (including a hidden layer). 
The number of nodes in each layer depends on the number of input variables to 
the classifier as listed in Table 4. With over 100 000 training samples at a time, the 
number of input nodes was initially selected to be IV + 1 [2,28,32] and the number 
of hidden layer nodes was initially selected to be 21V + 1, but less that 31V [27,33], 
where N is the number of inputs for the classifier. Starting with N + 1 input nodes, 
the number of hidden layer nodes were adjusted until convergence was achieved. 

Table 4: The number of inputs and number of nodes in the layers of the ANN 
classifiers. There is one output node for all classifiers. 


Classifier 

Inputs 

Input nodes 

Hidden layer nodes 

Flags 

10 

11 

25 

Ports 

2 

3 

7 

Sequence 

4 

5 

11 

IP 

3 

4 

9 


The ANN model uses a unipolar sigmoidal activation function for the output node. 
This is because the classifier outputs (Section 3.2) cannot take on negative values. 
The sigmoidal activation function given in Equation 3 is used with A=l. 

Off-line supervised training was implemented with the error backpropagation train¬ 
ing algorithm. By using off-line training, we avoid allowing an attacker to re-train 
the system. Error backpropagation training was used due to its success in other 
related work [12]. 


DRDC Ottawa TM 2004-208 


17 




4 The Procedure 


As discussed in Section 2.2, the ANN architecture is dependent on the attribute 
space under consideration. In order to be able to identify and classify different 
attacks and violations, this system employed a number of ANN classifiers. Each 
classifier was trained to detect and classify one or more attacks. In Figure 7, the 
stages in the implementation of the model are summarised. 

Stage 1 Stage 2 Stage 3 



Validated 


( Training 
V Alerts 




Figure 7: Implementation of the model. 

The first stage of the implementation of the model involved training the ANN. A 
suitable set of network data was obtained (in this case from the 1999 DARPA IDS 
Evaluation data set [19]) and the packet features (attributes) relevant to the classi¬ 
fiers were extracted from the data and stored in memory. The multi-classifier ANN 
was trained based on this data, which consisted of clean (attack free) traffic merged 
with traffic known to contain the attribute violations. In the second stage, the ANN 
was tested to verify that it had learned correctly. The alerts that came out of this 
stage should match the traffic in the training data that violated the attributes. If 
the ANN had been validated to have learned correctly, the ANN was applied to 
unknown, real data in the third stage. 

4.1 ANN Training 

The ANN was trained using week 1 of the 1999 DARPA IDS Evaluation data 
set [19], which consists of five days of attack-free traffic collected in tcpdump for¬ 
mat on a simulated network. The data collected on the internal sniffer was used. 
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Twenty-five percent of this data was manually modified to reflect the anomalous 
attribute definitions given in Section 3.1. 

Training was achieved by making repeated presentations of the training data to the 
neural network. Weights were initialized to small random numbers [2,28]. Network 
training parameters (i.e.X, error gradient, and learning rate rf) were changed by trial 
and error methods whenever necessary to ensure that convergence was achieved. 

Each classifier was trained with the same data sample for consistency: in a real-time 
implementation, all classifiers see each packet simultaneously. The training of each 
classifier was independent of the others, and the training results from one classifier 
did not affect the training of the next classifier. Data was presented to each ANN 
classifier until the individual convergence criteria was met (Equation 7). A set of 
100 000 packets was presented 50 times to the ANN, and this process was repeated 
with subsequent sets of 100 000 packets until the MSE of 1 x 10” 4 was achieved. 

The ANN model was applied to the 1999 DARPA IDS evaluation data set [19] using 
the data collected by the inside sniffer, locke.eyrie.af.mil. The implementation was 
carried out using MATLAB release 16 with the aid of the Neural Network Tool¬ 
box [28]. The Network Traffic Analysis (NTA) toolbox [34] was also used to load 
and manipulate the network traffic. 

4.2 ANN Testing and Recall 

After the training of the multi-layer perceptrons, they were tested using the training 
dataset. The training dataset is only used to validate the performance of the ANN 
after the training. If the training was successful, the neural network’s output should 
agree with the training dataset’s expected output. If the training was not successful, 
it had to be done again, this time with different training parameters and different 
initial weights. 

Once an ANN is successfully trained, it can be recalled using any network data 
available. In this case, the DARPA 1999 IDS Evaluation week 5 data was used 
during recall. This data consists of 5 separate data sets, each with over 1 x 10 6 
packets of TCP/IP traffic and a variety of documented attacks. 
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5 Results 


5.1 Model Training and Validation 

A sample training session curve for the first classifier (the IP classifier) is shown in 
Figure 8. Note that the IP classifier had originally been trained to detect all private 
IP addresses. Since the DARPA simulated network uses two private IP address 
domains, this classifier was easily modified and retrained. 



Figure 8: The training mean square error. 

The target MSE (Equation 7) of 1 x 10” 4 was met in 100 epochs of training; i.e. 
after two presentations. An epoch represents a complete pass through the ANN of 
100 000 packets of training data. Each classifier had its own training parameters 
and convergence criteria. While the accelerated batch steepest descent training al¬ 
gorithm with an initial learning rate rj = 0.7 and MSE of 1 x 10“ 4 was used in all 
classifiers during the final phase of the training, the minimum gradient for the four 
classifiers were respectively 1 x 10 -12 , 1 x 10 -6 , 1 x 10 -10 , and 1 x 10 -10 . In all 
classifiers, the number of epochs was initially set to 50 to allow successive training 
of different successive sets of training data (our application could only load 100 000 
packets at a time). 

The models were first tested by performing an ANN recall on the training data. This 
is an essential validation step for ANN training. Each fully trained classifier was 
presented with the training data, and the results were compared with the expected 
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output. In all cases, the validation was successful. 

In the next section, we present the summarised alerts detected by the ANN classi¬ 
fiers. The detailed classifier alerts are presented in Annexes B to E. 

5.2 Classifier Detection Performance for DARPA 
1999 Data 

The DARPA IDS Evaluation data from week 5 was used to test the model. In 
this data, there is a limited number of attacks that can be found by examining the 
headers of single TCP packets. The majority of the documented attacks required 
an analysis of content, which is not included in this model. Attacks such as the 
portsweeps on 04/07/99 and 04/08/99, which use legitimate IP addresses, TCP port 
numbers, flags, and sequence/acknowledgement numbers were not detected by any 
classifier. This type of activity requires the examination of a series of packets for 
detection. Other documented attacks were not present in the data collected by the 
internal sniffer and therefore could not be detected. Table 5 shows the documented 
attacks that were detected by the model. 

Modification of the IP classifier would allow one to detect activity based on access 
rules. For example, the xlock and xsnoop attacks could be detected via a classifier 
that has been configured to reflect the security policy of the network under surveil¬ 
lance. 

The dosnuke attack may be detected if one modified the Flags classifier to alert on 
packets with the URG flags bit set. This, however, could also result in an increase 
in false positives as the URG flag is not uncommon. 

5.2.1 False Positives 

There were false positives related to our initial rule-set definitions and errors on 
the model’s (and the NTA toolbox’s) inability to handle fragmented packets. There 
were 1 076 false positives related to the “SYN with low source port” aggregate 
attribute in the Flags classifier. FTP data transfers generally appear as a SYN with 
source port 20, hence all FTP data transfers in the week 5 data triggered an alert. 
Also, in the week 5 data, the printer was configured to communicate using ports 515 
and 1023, which triggered 50 alerts for the Flags classifier (SYN with low source 
port) and 609 alerts for the Ports classifier (low port to low port). SSH sessions 
produced 7 244 alerts for the same reasons. 

Fragmentation in the week 5 data was a source of 368 false positives in the Flags 
generated alerts. There were repeated telnet sessions where the client fragmented 
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Table 5: Summary of DARPA 1999 week 5 detects. 


Date 

Attack 

Classifier 

Details 

04/05/99 

Portsweep 

Flags 

Lone FIN packets 



Sequence # 

SEQ=ACK=0 

04/05/99 

Neptune DoS 

IP 

Private IP address 10.20.30.40 



Flags 

SYN packets with low source ports 



Ports 

Low ports to low ports 

04/06/99 

Ftp write 

Ports 

513-1023 Low port to low port (final stage of 
attack) 

04/06/99 

Neptune DoS 

IP 

Private IP address 10.20.30.40 



Flags 

SYN packets with low source ports 



Ports 

Low ports to low ports 

04/06/99 

HTTP Tunnel 

Ports 

8000-32890 High port to high port 

04/06/99 

QueSO 

Flags 

Bad flag combinations 

04/07/99 

Netbus 

Ports 

1290-12345 High port to high port (final 
stage of attack) 

04/07/99 

QueSO 

Flags 

Bad flag combinations, responses detected 

04/07/99 

Portsweep 

Flags 

Lone FIN packets 



Sequence # 

SEQ=ACK=0 

04/07/99 

QueSO 

Flags 

Bad flag combinations 

04/08/99 

NTinfoscan 

Ports 

Low port to low port 



Flags 

SYN packets with low source ports 

04/08/99 

HTTP Tunnel 

Ports 

8000-32939 High port to high port 

04/08/99 

Satan 

Flags 

SYN packets with low source ports 



Ports 

High ports to high ports 

04/08/99 

NTinfoscan 

Ports 

Low port to low port 



Flags 

SYN packets with low source ports 

04/09/99 

Land DoS 

IP 

Source IP address same as destination IP ad¬ 
dress 



Flags 

SYN packet with low source port 



Ports 

Low port to low port 

04/09/99 

Portsweep 

Flags 

Lone FIN packets 



Sequence # 

SEQ=ACK=0 

04/09/99 

Neptune DoS 

Flags 

SYN packets with low source ports 



Ports 

Low ports to low ports 
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Table 6: Misclassifications detected by this approach. 


Classifier 

False Positives 

False Negatives 

# Detected 

Flags 

1444 

0 

2 383 

IP 

0 

0 

128 134 

Sequence 

0 

0 

1032 

Port 

7853 

0 

41557 

Total 

9 297 

0 

173 106 


every packet. The first fragment ended 4 bytes into the TCP header, giving only the 
source and destination port in the first packet. All other information, including TCP 
flags, was carried by subsequent packets. It was decided that packet reassembly 
would not be implemented as part of this model, and all such alerts were ignored. 

Table 6 summarises the statistics for the model’s false positives. Overall, out of 
10 817196 packets analysed, a total of 173 106 were detected as suspicious by the 
individual classifiers. The sequence numbers classifier had the best performance, 
with no false positives. The flags classifier was the worst affected by false positives 
which accounted for 60% of all the classifier’s detects. However, when we factored 
in the original alert definitions, there are only 368 false positives for this classifier. 
The implementation of this classifier did not include the handling of fragmentation. 

Except for the labeled attacks, mentioned at the beginning of this section, which 
our approach could not detect, there were no false negatives detected by any of the 
classifiers. 

5.2.2 Additional DARPA Data Findings 

The ANN produced some alerts that were not documented as an attack in the 
DARPA 1999 data. An undocumented land attack was found on 04/05/99. At¬ 
tempts to access ports 8000 (previously used for the HTTPtunnel attack) and 9000 
were detected on 04/05/99, 04/06/99 and 04/07/99. 

Six HTTP sessions were detected on 04/07/99 and 04/08/99 where the client sends 
data 1 byte at a time. These were identified through an anomalous lone FIN packet 
sent at the start of each session. Further investigation revealed the anomalous data 
transfer behaviour. While the content of the packets was not found to be malicious, 
the behaviour is certainly suspicious and consumes bandwidth unnecessarily. 

The tcpreset attack was expected to have been detected by the ANN, however no 
evidence of the attack was found in the ANN alerts. A manual inspection of the data 
also showed no evidence of the attack, so we conclude that the failure is not with 
the ANN classifiers. There were two cases where TCP reset packets were detected 


DRDC Ottawa TM 2004-208 


23 



by the Ports classifier, with source and destination port 123. These are odd, as 
all previous communication on these ports were UDP. Had this been an attempted 
tcpreset attack, these packets should have no effect. 
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6 Concluding Remarks 


In this work, we have demonstrated the design and successful implementation of 
a system of multi-layer perceptron classifiers to detect suspicious TCP traffic at a 
packet-by-packet level. The ANN is capable of detecting attacks ranging from de¬ 
nial of service attacks and probing activity to activities violating a network security 
policy through access of prohibited IP domains {e.g. email, audio or video data 
transfers). 

The alerts generated by the ANN approach were compared to the documented at¬ 
tacks in the DARPA 1999 IDS Evaluation data. The method was successful in de¬ 
tecting those documented attacks that are not dependent on detection of content or 
on analysis of a series of packets. Some of the attacks were discovered by perform¬ 
ing an analysis of the other, legitimate, packets related to the alert. The classifiers 
can be re-trained easily to define access rules, which would allow for the detection 
of attacks that otherwise do not trigger an alert from our classifiers. 

The DARPA data contained attacks and suspicious activity that was not docu¬ 
mented. A land attack was discovered, as well as excessively fragmented telnet 
sessions and HTTP sessions where the client sends 1 byte of data per packet. While 
the latter two are not necessarily attacks, they are certainly cause for concern. 

While there were no false negatives reported, the classifiers generated some false 
positives related to the original rule-set definitions and the model’s handling of 
packet fragmentation. The classifiers read the subsequent packet fragments which 
don’t contain the TCP header information, as full packets. As a result, the informa¬ 
tion read into the classifiers was incorrect, resulting in the false positives. The clas¬ 
sifiers can be tailored to the network under surveillance to minimize these events as 
much as possible, but it would be difficult to eliminate them altogether. 

This model also addresses one of ANN’s limitations, specifically its usual inability 
to report the exact cause of an alert. By pointing to which classifier triggered the 
alert, we enable the operator to identify the source of the alarm. Future work will 
research on the possibility of expanding the output of the individual classifiers so 
that it would be easier to identify the exact source of a given attack. 

By definition this model does not detect attacks that do not utilize TCP or that 
require an analysis of a sequence of packets. Future work will investigate how this 
model, or a derivative of it, would perform when multiple packets forming a session 
and multiple sessions are considered. Given that many of the attacks in the DARPA 
attack data fall into this category, further investigations of ANN models to include 
coordinated attacks and multiple events are warranted. 


DRDC Ottawa TM 2004-208 


25 



One application that may take advantage of the processing speed of ANNs is to 
use an ANN model in conjunction with real-time operating systems on network 
devices or firewalls where the need for processing speeds and precision are critical. 
The ANN model may be made to be easily configurable from a user interface (UI) 
to allow changes in ANN definitions and to allow off-line training. 

For the size and complexity of the problem we are dealing with in this work, using 
ANNs may be too powerful to have significant advantages over using IDS rules 
like Snort. However, for possible layer 2 implementation in real-time on TCP/IP 
communications equipment, this model would potentially be much better than IDS 
rules in that it is faster and requires less computational effort. 

Given the ever-changing definitions in data communications, the use of an ANN 
with supervised training may not be the best option since frequent retraining would 
be required. Rather than pursuing this further, in an effort to perfect it, it would be 
wise to explore the use of unsupervised training techniques such as the autoassocia- 
tor. Efforts are already under way to explore the usage of the autoassociator in other 
intrusion detection work such as network event correlation and DDoS detection. 
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Figure A.1: The 1999 DARPA simulation network. 
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Annex B 

Summary of IP Classifier Results 


The IP classifier uses source and destination IP address and source port attributes 
to discover: 

• Private IP addresses 

• Source IP same as destination IP 

• Broadcast IP addresses 

With the use of the source port attribute, it can be trained to detect unauthorized 
services from known servers, however this was not applied. 


Portscan, sequential dest ports on one host: Neptune DoS 

1999-04-05 22:03:55.501770 10.20.30.40:4673 > 172.16.112.50:1: S 2187784450:2187784450(0) win 242 
1999-04-05 22:03:55.502082 172.16.112.50:1 > 10.20.30.40:4673: R 0:0(0) ack 2187784451 win 0 

1999-04-05 22:10:45.160028 10.20.30.40:4497 > 172.16.112.50:1024: S 2176250114:2176250114(0) win 242 
1999-04-05 22:10:45.160201 172.16.112.50:1024 > 10.20.30.40:4497: R 0:0(0) ack 2176250115 win 0 


Repeated, another host: Neptune DoS 

1999-04-06 15:38:00.454642 10.20.30.40:4631 > 172.16.114.50:1: S 2185031938:2185031938(0) win 242 
1999-04-06 15:38:00.454862 172.16.114.50:1 > 10.20.30.40:4631: R 0:0(0) ack 2185031939 win 0 

1999-04-06 15:51:39.670267 10.20.30.40:4535 > 172.16.114.50:1024: S 2178740482:2178740482(0) win 242 
1999-04-06 15:51:39.670566 172.16.114.50:1024 > 10.20.30.40:4535: R 0:0(0) ack 2178740483 win 0 


Delayed SA responses to SYN packets to port 
1999-04-06 15:53:28.607993 172.16.114.50:25 

1999-04-06 16:01:28.668890 172.16.114.50:25 


25 in the above DoS 

> 10.20.30.40:54042: S 2843644623:2843644623(0) ack 1128329475 win 

> 10.20.30.40:56090: S 3917236053:3917236053(0) ack 1262547203 win 


31744 

31744 


Land attack DoS 

1999-04-09 18:32:17.628397 172.16.113.50:25 > 172.16.113.50:25: S 3868:3868(0) win 2048 
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Annex C 

Summary of Flags Classifier Results 


The Flags classifier uses TCP flags, ports and payload size to discover: 

• Bad flag combinations 

• SYN with payload 

• RST or RST/ACK with payload 

• SYN with well-known source port 


False positives: SYN from port 20 (ftp-data) 

FIN scan: Lone FIN (bad flags) to random destination ports on one host 

1999-04-05 13:43:08.073616 208.240.124.83:43170 > 172.16.112.50:3: F 0:0(0) win 2048 

1999-04-05 13:46:50.927546 208.240.124.83:62309 > 172.16.112.50:9: F 0:0(0) win 2048 


Undocumented: Land attack 

1999-04-05 16:48:08.463617 172.16.112.50:25 > 172.16.112.50:25: S 3868:3868(0) win 2048 


False positive: SYN from low port 1023 to printer port 


1999-04-05 

1999-04-05 

1999-04-05 

1999-04-05 

1999-04-05 

1999-04-05 

1999-04-05 

1999-04-05 


18:01:50.299745 

18:01:50.300261 

19:21:36.605549 

19:21:36.606071 

20:14:23.621866 

20:14:23.622353 

20:19:18.412374 

20:19:18.412714 


172.16.113.50:1023 > 172.16.112.50:515 
172.16.112.50:515 > 172.16.113.50:1023 
172.16.113.50:1023 > 172.16.112.50:515 
172.16.112.50:515 > 172.16.113.50:1023 
172.16.113.50:1023 > 172.16.112.50:515 
172.16.112.50:515 > 172.16.113.50:1023 
172.16.113.50:1023 > 172.16.112.50:515 
172.16.112.50:515 > 172.16.113.50:1023 


S 812224000:812224000(0) win 4096 


S 2939188589:2939188589(0) 
S 1425152000:1425152000(0) 
S 3547480582:3547480582(0) 
S 1831296000:1831296000(0) 
S 3951426335:3951426335(0) 
S 1869312000:1869312000(0) 
S 3989044364:3989044364(0) 


ack 

812224001 win 

8760 

win 

4096 



ack 

1425152001 

win 

8760 

win 

4096 



ack 

1831296001 

win 

8760 

win 

4096 



ack 

1869312001 

win 

8760 


Neptune DoS: SYN from randomized low ports to random destination ports on one host 

1999-04-05 22:04:00.320655 10.20.30.40:66 > 172.16.112.50:12: S 1885860098:1885860098(0) win 242 


False positive: SYN from low port 1023 to SSH and printer ports 

1999-04-06 13:19:18.178225 172.16.112.50:1023 > 172.16.112.20:22: S 751177833:751177833(0) win 8760 

1999-04-06 13:19:18.178539 172.16.112.20:22 > 172.16.112.50:1023: S 657409615:657409615(0) ack 751177834 win 32736 

1999-04-06 14:32:42.824842 172.16.114.207:1023 > 172.16.112.50:513: S 539785390:539785390(0) win 512 

1999-04-06 14:32:42.825206 172.16.112.50:513 > 172.16.114.207:1023: S 322000618:322000618(0) ack 539785391 win 8760 

1999-04-06 15:37:44.493847 172.16.113.50:1023 > 172.16.112.50:515: S 1812288001:1812288001(0) win 4096 

1999-04-06 15:37:44.494172 172.16.112.50:515 > 172.16.113.50:1023: S 819369802:819369802(0) ack 1812288002 win 8760 


Neptune DoS: SYN from randomized low ports on one host 

1999-04-06 15:38:05.213565 10.20.30.40:24 > 172.16.114.50:6: S 1883107586:1883107586(0) win 242 


1999-04-06 15:47:13.133721 10.20.30.40:899 > 172.16.114.50:691: S 1940451586:1940451586(0) win 242 


False positive: SYN from low port 1023 to printer port 
1999-04-06 15:47:13.248573 172.16.113.50:1023 > 172.16.112.50:515: 
1999-04-06 15:47:13.249954 172.16.112.50:515 > 172.16.113.50:1023: 


1885376001:1885376001(0) win 4096 
891994416:891994416(0) ack 1885376002 win 8760 


False positive: SYN from low port 1023 to printer port 

1999-04-06 16:24:02.399909 172.16.113.50:1023 > 172.16.112.50:515: S 20672000:20672000(0) win 4096 

1999-04-06 16:24:02.400289 172.16.112.50:515 > 172.16.113.50:1023: S 1173644809:1173644809(0) ack 20672001 win 8760 
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1999-04-06 17:44:03.086280 172.16.113.50:1023 > 172.16.112.50:515: S 635904000:635904000(0) win 4096 

1999-04-06 17:44:03.086795 172.16.112.50:515 > 172.16.113.50:1023: S 1788027537:1788027537(0) ack 635904001 win 8760 

1999-04-06 19:19:51.758595 172.16.113.50:1023 > 172.16.112.50:515: S 1372864000:1372864000(0) win 4096 

1999-04-06 19:19:51.759129 172.16.112.50:515 > 172.16.113.50:1023: S 2517548376:2517548376(0) ack 1372864001 win 8760 

QueSO: bad flags, no response detected 

1999-04-06 20:54:14.044298 199.227.99.125:26873 > 172.16.113.50:25: S 1924662232:1924662232(0) ack 0 win 4660 

1999-04-06 20:54:16.063980 199.227.99.125:26874 > 172.16.113.50:25: F 1924662232:1924662232(0) win 4660 

1999-04-06 20:54:39.289140 199.227.99.125:26876 > 172.16.113.50:25: SF 1924662232:1924662232(0) win 4660 
1999-04-06 20:54:41.308678 199.227.99.125:26877 > 172.16.113.50:25: P 1924662232:1924662232(0) win 4660 
1999-04-06 20:55:02.514404 199.227.99.125:26878 > 172.16.113.50:25: SWE 1924662232:1924662232(0) win 4660 

Undocumented: Anomalous HTTP session — investigation shows 1 byte of data transferred per packet 

1999-04-07 12:39:42.898774 206.48.44.50:2295 > 172.16.114.50:80: F 3208635203:3208635203(0) win 0 

1999-04-07 13:15:28.885706 206.48.44.50:2297 > 172.16.114.50:80: F 4070161920:4070161920(0) win 0 

1999-04-07 13:23:51.573858 206.48.44.50:2299 > 172.16.114.50:80: F 277741562:277741562(0) win 0 

QueSO: bad flags, with response 

1999-04-07 15:34:13.020863 197.182.91.233:16446 > 172.16.114.50:23: S 1150614957:1150614957(0) ack 0 win 4660 

1999-04-07 15:36:14.014324 197.182.91.233:16447 > 172.16.114.50:23: F 1150614957:1150614957(0) win 4660 

1999-04-07 15:40:35.192014 197.182.91.233:16449 > 172.16.114.50:23: SF 1150614957:1150614957(0) win 4660 

1999-04-07 15:40:35.192357 172.16.114.50:23 > 197.182.91.233:16449: SF 4180280353:4180280353(0) ack 1150614958 win 31744 

1999-04-07 15:42:55.373880 197.182.91.233:16450 > 172.16.114.50:23: P 1150614957:1150614957(0) win 4660 

1999-04-07 15:45:15.555801 197.182.91.233:16451 > 172.16.114.50:23: SWE 1150614957:1150614957(0) win 4660 

1999-04-07 15:45:15.556150 172.16.114.50:23 > 197.182.91.233:16451: SWE 2132661837:2132661837(0) ack 1150614958 win 3174 

False positive: SYN from low port 1023 to printer port 

1999-04-07 15:51:32.790147 172.16.113.50:1023 > 172.16.112.50:515: S 1968192001:1968192001(0) win 4096 

1999-04-07 15:51:32.790651 172.16.112.50:515 > 172.16.113.50:1023: S 1921698939:1921698939(0) ack 1968192002 win 8760 

FIN scan: lone FIN (bad flag) 

1999-04-07 16:37:05.119686 204.97.153.43:33731 > 172.16.114.50:1: F 0:0(0) win 3072 

1999-04-07 16:37:11.119509 204.97.153.43:33732 > 172.16.114.50:1: F 0:0(0) win 3072 

1999-04-07 16:38:11.212840 204.97.153.43:48334 > 172.16.114.50:2: F 0:0(0) win 4096 

1999-04-07 16:39:11.271440 204.97.153.43:36206 > 172.16.114.50:3: F 0:0(0) win 1024 

1999-04-07 16:40:11.330299 204.97.153.43:34897 > 172.16.114.50:4: F 0:0(0) win 4096 

1999-04-07 16:41:11.398469 204.97.153.43:44837 > 172.16.114.50:5: F 0:0(0) win 3072 

1999-04-07 16:42:11.476742 204.97.153.43:57319 > 172.16.114.50:6: F 0:0(0) win 4096 

1999-04-07 16:43:11.555454 204.97.153.43:42505 > 172.16.114.50:7: F 0:0(0) win 2048 

1999-04-07 16:43:17.563378 204.97.153.43:42506 > 172.16.114.50:7: F 0:0(0) win 2048 

1999-04-07 16:44:23.701950 204.97.153.43:47885 > 172.16.114.50:8: F 0:0(0) win 4096 

1999-04-07 16:45:24.019973 204.97.153.43:47234 > 172.16.114.50:9: F 0:0(0) win 4096 

1999-04-07 16:45:30.025698 204.97.153.43:47235 > 172.16.114.50:9: F 0:0(0) win 4096 

1999-04-07 16:46:36.147226 204.97.153.43:53912 > 172.16.114.50:10: F 0:0(0) win 4096 

False positive: SYN from low port 1021 to SSH 

1999-04-07 16:48:18.389375 206.48.44.50:1021 > 172.16.114.50:22: S 3871009220:3871009220(0) win 512 

1999-04-07 16:48:18.389717 172.16.114.50:22 > 206.48.44.50:1021: S 911077798:911077798(0) ack 3871009221 win 31744 

QueSO: bad flags, no response 

1999-04-07 17:43:16.262426 172.16.114.169:13697 > 172.16.112.50:25: S 552908031:552908031(0) ack 0 win 4660 

1999-04-07 17:46:35.406694 172.16.114.169:13698 > 172.16.112.50:25: F 552908031:552908031(0) win 4660 

1999-04-07 17:53:15.734876 172.16.114.169:13700 > 172.16.112.50:25: SF 552908031:552908031(0) win 4660 
1999-04-07 17:56:19.733439 172.16.114.169:13701 > 172.16.112.50:25: P 552908031:552908031(0) win 4660 
1999-04-07 17:59:23.732127 172.16.114.169:13702 > 172.16.112.50:25: SWE 552908031:552908031(0) win 4660 

False positive: SYN from low port 1023 to printer port 

1999-04-07 21:03:06.591166 172.16.113.50:1023 > 172.16.112.50:515: S 75840000:75840000(0) win 4096 
1999-04-07 21:03:06.591482 172.16.112.50:515 > 172.16.113.50:1023: S 5138528:5138528(0) ack 75840001 win 8760 

Undocumented: Anomalous HTTP session — investigation shows 1 byte of data transferred per packet 

1999-04-08 12:43:38.772729 206.48.44.50:3759 > 172.16.114.50:80: F 242486627:242486627(0) win 0 

1999-04-08 12:43:46.552168 206.48.44.50:3821 > 172.16.114.50:80: F 2049880209:2049880209(0) win 0 

1999-04-08 12:43:57.467964 206.48.44.50:3822 > 172.16.114.50:80: F 1554285451:1554285451(0) win 0 


34 


DRDC Ottawa TM 2004-208 













False positive: SYN from low port 1023 to printer port 

1999-04-08 13:13:43.105379 172.16.113.50:1023 > 172.16.112.50:515: S 706176001:706176001(0) win 4096 

1999-04-08 13:13:43.105721 172.16.112.50:515 > 172.16.113.50:1023: S 706994143:706994143(0) ack 706176002 win 8760 

1999-04-08 13:18:28.613968 172.16.113.50:1023 > 172.16.112.50:515: S 742720001:742720001(0) win 4096 

1999-04-08 13:18:28.614298 172.16.112.50:515 > 172.16.113.50:1023: S 743524233:743524233(0) ack 742720002 win 8760 

1999-04-08 13:36:12.435355 172.16.113.50:1023 > 172.16.112.50:515: S 879232001:879232001(0) win 4096 

1999-04-08 13:36:12.436765 172.16.112.50:515 > 172.16.113.50:1023: S 878153743:878153743(0) ack 879232002 win 8760 

False positive: SYN from low port 1023 to SSH 

1999-04-08 13:43:18.774060 206.48.44.50:1023 > 172.16.114.50:22: S 184755503:184755503(0) win 512 

1999-04-08 13:43:18.776468 172.16.114.50:22 > 206.48.44.50:1023: S 889901208:889901208(0) ack 184755504 win 31744 

SATAN: Lots of connections here, SYN from low port to port 111 (RPC) 

1999-04-08 18:58:22.479377 209.74.60.168:878 > 172.16.114.50:111: S 2170743131:2170743131(0) win 512 
1999-04-09 05:46:54.595297 207.136.86.223:941 > 172.16.115.87:111: S 3524467774:3524467774(0) win 512 
False positive: SYN from low port 1023 to printer port 

1999-04-09 13:16:44.668151 172.16.113.50:1023 > 172.16.112.50:515: S 770752001:770752001(0) win 4096 

1999-04-09 13:16:44.668503 172.16.112.50:515 > 172.16.113.50:1023: S 772376795:772376795(0) ack 770752002 win 8760 

False positive: SYN from low port 1023 to printer port 

1999-04-09 15:30:54.969911 172.16.113.50:1023 > 172.16.112.50:515: S 1806144001:1806144001(0) win 4096 

1999-04-09 15:30:54.970185 172.16.112.50:515 > 172.16.113.50:1023: S 1800094144:1800094144(0) ack 1806144002 win 8760 

1999-04-09 15:33:13.269244 172.16.113.50:1023 > 172.16.112.50:515: S 1823872001:1823872001(0) win 4096 

1999-04-09 15:33:13.269519 172.16.112.50:515 > 172.16.113.50:1023: S 1817483065:1817483065(0) ack 1823872002 win 8760 

1999-04-09 15:42:55.529964 172.16.113.50:1023 > 172.16.112.50:515: S 1898624001:1898624001(0) win 4096 

1999-04-09 15:42:55.531288 172.16.112.50:515 > 172.16.113.50:1023: S 1892983054:1892983054(0) ack 1898624002 win 8760 

FIN scan: lone FIN (bad flags) 

1999-04-09 15:52:06.231054 206.186.80.111:59543 > 172.16.113.50:79: F 0:0(0) win 3072 
1999-04-09 15:52:12.256155 206.186.80.111:59544 > 172.16.113.50:79: F 0:0(0) win 3072 
1999-04-09 15:53:58.359515 206.186.80.111:51887 > 172.16.113.50:7: F 0:0(0) win 3072 
1999-04-09 15:54:04.372822 206.186.80.111:51888 > 172.16.113.50:7: F 0:0(0) win 3072 
1999-04-09 15:55:50.468902 206.186.80.111:57112 > 172.16.113.50:9: F 0:0(0) win 2048 
1999-04-09 15:55:56.489620 206.186.80.111:57113 > 172.16.113.50:9: F 0:0(0) win 2048 
1999-04-09 15:57:42.595667 206.186.80.111:35145 > 172.16.113.50:19: F 0:0(0) win 1024 
1999-04-09 15:57:48.616220 206.186.80.111:35146 > 172.16.113.50:19: F 0:0(0) win 1024 

False positive: SYN from low port 1023 to printer port 

1999-04-09 16:17:09.562055 172.16.113.50:1023 > 172.16.112.50:515: S 14016000:14016000(0) win 4096 

1999-04-09 16:17:09.563467 172.16.112.50:515 > 172.16.113.50:1023: S 2154409720:2154409720(0) ack 14016001 win 8760 

1999-04-09 16:27:22.135713 172.16.113.50:1023 > 172.16.112.50:515: S 92800000:92800000(0) win 4096 

1999-04-09 16:27:22.136024 172.16.112.50:515 > 172.16.113.50:1023: S 2233128703:2233128703(0) ack 92800001 win 8760 

1999-04-09 16:36:49.374774 172.16.113.50:1023 > 172.16.112.50:515: S 165440000:165440000(0) win 4096 

1999-04-09 16:36:49.375085 172.16.112.50:515 > 172.16.113.50:1023: S 2304936803:2304936803(0) ack 165440001 win 8760 

1999-04-09 18:21:51.699624 172.16.113.50:1023 > 172.16.112.50:515: S 973696000:973696000(0) win 4096 

1999-04-09 18:21:51.699996 172.16.112.50:515 > 172.16.113.50:1023: S 3105260648:3105260648(0) ack 973696001 win 8760 

1999-04-09 18:23:00.486114 172.16.113.50:1023 > 172.16.112.50:515: S 982592000:982592000(0) win 4096 

1999-04-09 18:23:00.486446 172.16.112.50:515 > 172.16.113.50:1023: S 3114280893:3114280893(0) ack 982592001 win 8760 

Land attack: SYN from low port 

1999-04-09 18:32:17.628397 172.16.113.50:25 > 172.16.113.50:25: S 3868:3868(0) win 2048 
Neptune DoS: SYN from randomized low ports to port 21 

1999-04-09 22:29:56.680704 11.21.31.41:61 > 172.16.113.50:21: S 1885532418:1885532418(0) win 242 
1999-04-09 22:29:56.700594 11.21.31.41:317 > 172.16.113.50:21: S 1902309634:1902309634(0) win 242 

1999-04-09 22:29:56.720598 11.21.31.41:573 > 172.16.113.50:21: S 1919086850:1919086850(0) win 242 

1999-04-09 22:29:56.740580 11.21.31.41:829 > 172.16.113.50:21: S 1935864066:1935864066(0) win 242 

1999-04-09 22:30:01.849571 11.21.31.41:62 > 172.16.113.50:21: S 1885597954:1885597954(0) win 242 
1999-04-09 22:30:01.869562 11.21.31.41:318 > 172.16.113.50:21: S 1902375170:1902375170(0) win 242 

1999-04-09 22:30:01.889585 11.21.31.41:574 > 172.16.113.50:21: S 1919152386:1919152386(0) win 242 

1999-04-09 22:30:01.909579 11.21.31.41:830 > 172.16.113.50:21: S 1935929602:1935929602(0) win 242 
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Annex D 

Summary of Ports Classifier Results 


The Ports classifier uses the TCP ports to discover: 

• Both ports > 1023 

• Both ports < 1023 

• Source or destination port 0 


Undocumented: Repeated connection attempts to port 8000 (HTTPtunnel?) 

1999-04-05 16:04:56.651007 172.16.112.50:32914 > 196.37.75.158:8000: S 2050946967:2050946967(0) win 8760 
1999-04-05 16:04:56.651777 196.37.75.158:8000 > 172.16.112.50:32914: R 0:0(0) ack 2050946968 win 0 

Undocumented: Land attack — low port - low port 

1999-04-05 16:48:08.463617 172.16.112.50:25 > 172.16.112.50:25: S 3868:3868(0) win 2048 

Neptune DoS: Only the low-low and high-high port combinations are caught with this classifier 
1999-04-05 22:04:00.320655 10.20.30.40:66 > 172.16.112.50:12: S 1885860098:1885860098(0) win 242 
1999-04-05 22:04:00.320827 172.16.112.50:12 > 10.20.30.40:66: R 0:0(0) ack 1885860099 win 0 

1999-04-05 22:10:45.160028 10.20.30.40:4497 > 172.16.112.50:1024: S 2176250114:2176250114(0) win 242 
1999-04-05 22:10:45.160201 172.16.112.50:1024 > 10.20.30.40:4497: R 0:0(0) ack 2176250115 win 0 

Possible Tcpreset attack: low port - low port 

1999-04-06 12:12:31.599205 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-06 12:13:35.594085 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-06 12:14:39.577410 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-06 12:15:43.561582 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-06 12:16:47.555796 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-06 12:17:51.539983 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-06 12:18:55.524810 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-06 12:19:59.508369 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

Ftpwrite: final stage of attack — low port - low port 

1999-04-06 14:32:42.824842 172.16.114.207:1023 > 172.16.112.50:513: S 539785390:539785390(0) win 512 
Neptune DoS: low port - low port and high port - high port detected 

1999-04-06 15:38:05.213565 10.20.30.40:24 > 172.16.114.50:6: S 1883107586:1883107586(0) win 242 
1999-04-06 15:38:05.213760 172.16.114.50:6 > 10.20.30.40:24: R 0:0(0) ack 1883107587 win 0 

1999-04-06 15:51:39.670267 10.20.30.40:4535 > 172.16.114.50:1024: S 2178740482:2178740482(0) win 242 
1999-04-06 15:51:39.670566 172.16.114.50:1024 > 10.20.30.40:4535: R 0:0(0) ack 2178740483 win 0 

HTTPtunnel: high port - high port 

1999-04-06 16:04:57.810365 172.16.112.50:32890 > 196.37.75.158:8000: S 1026608069:1026608069(0) win 8760 

1999-04-06 16:04:57.811115 196.37.75.158:8000 > 172.16.112.50:32890: R 0:0(0) ack 1026608070 win 0 

1999-04-06 16:05:27.807153 172.16.112.50:32891 > 196.37.75.158:8000: S 1030515823:1030515823(0) win 8760 

1999-04-06 16:05:27.807983 196.37.75.158:8000 > 172.16.112.50:32891: R 0:0(0) ack 1030515824 win 0 

1999-04-06 16:05:57.804357 172.16.112.50:32892 > 196.37.75.158:8000: S 1034302995:1034302995(0) win 8760 

1999-04-06 16:05:57.805050 196.37.75.158:8000 > 172.16.112.50:32892: R 0:0(0) ack 1034302996 win 0 

1999-04-06 16:06:27.801652 172.16.112.50:32893 > 196.37.75.158:8000: S 1038185830:1038185830(0) win 8760 

1999-04-06 16:06:27.802828 196.37.75.158:8000 > 172.16.112.50:32893: S 546626866:546626866(0) ack 1038185831 win 32736 

1999-04-06 16:06:27.803026 172.16.112.50:32893 > 196.37.75.158:8000: . ack 546626867 win 8760 

1999-04-06 16:06:27.804224 172.16.112.50:32893 > 196.37.75.158:8000: P 1038185831:1038185867(36) ack 546626867 win 8760 
1999-04-06 16:06:27.824121 196.37.75.158:8000 > 172.16.112.50:32893: . ack 1038185867 win 32736 
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1999-04-06 16:06:27.824475 172.16.112.50:32893 > 196.37.75.158:8000: P 1038185867:1038186069(202) ack 546626867 win 8760 
1999-04-06 16:06:27.826642 196.37.75.158:8000 > 172.16.112.50:32893: P 546626867:546626898(31) ack 1038186069 win 32736 
1999-04-06 16:06:27.829838 196.37.75.158:8000 > 172.16.112.50:32893: P 546626898:546627507(609) ack 1038186069 win 32736 
1999-04-06 16:06:27.829905 196.37.75.158:8000 > 172.16.112.50:32893: F 546627507:546627507(0) ack 1038186069 win 32736 
1999-04-06 16:06:27.830054 172.16.112.50:32893 > 196.37.75.158:8000: . ack 546627507 win 8760 

1999-04-06 16:06:27.830123 172.16.112.50:32893 > 196.37.75.158:8000: . ack 546627508 win 8760 

1999-04-06 16:06:27.915897 172.16.112.50:32894 > 196.37.75.158:8000: S 1038315772:1038315772(0) win 8760 

1999-04-06 16:06:27.916915 196.37.75.158:8000 > 172.16.112.50:32894: S 2601713000:2601713000(0) ack 1038315773 win 32736 

1999-04-06 16:06:27.917118 172.16.112.50:32894 > 196.37.75.158:8000: . ack 2601713001 win 8760 

1999-04-06 16:06:27.918288 172.16.112.50:32894 > 196.37.75.158:8000: P 1038315773:1038315809(36) ack 2601713001 win 8760 
1999-04-06 16:06:27.934082 196.37.75.158:8000 > 172.16.112.50:32894: . ack 1038315809 win 32736 

1999-04-06 16:06:27.934446 172.16.112.50:32894 > 196.37.75.158:8000: P 1038315809:1038316020(211) ack 2601713001 win 876 
1999-04-06 16:06:27.936245 196.37.75.158:8000 > 172.16.112.50:32894: F 2601713001:2601713001(0) ack 1038316020 win 32736 
1999-04-06 16:06:27.936379 172.16.112.50:32894 > 196.37.75.158:8000: . ack 2601713002 win 8760 

1999-04-06 16:06:27.936955 172.16.112.50:32894 > 196.37.75.158:8000: F 1038316020:1038316020(0) ack 2601713002 win 8760 

1999-04-06 16:06:27.937824 196.37.75.158:8000 > 172.16.112.50:32894: . ack 1038316021 win 32735 

1999-04-06 16:06:57.939569 172.16.112.50:32895 > 196.37.75.158:8000: S 1042105644:1042105644(0) win 8760 

1999-04-06 16:06:57.940615 196.37.75.158:8000 > 172.16.112.50:32895: R 0:0(0) ack 1042105645 win 0 

1999-04-06 16:07:27.936274 172.16.112.50:32896 > 196.37.75.158:8000: S 1045939333:1045939333(0) win 8760 

1999-04-06 16:07:27.937306 196.37.75.158:8000 > 172.16.112.50:32896: R 0:0(0) ack 1045939334 win 0 

1999-04-06 16:07:57.933713 172.16.112.50:32897 > 196.37.75.158:8000: S 1049762779:1049762779(0) win 8760 

1999-04-06 16:07:57.934654 196.37.75.158:8000 > 172.16.112.50:32897: R 0:0(0) ack 1049762780 win 0 

1999-04-06 16:08:27.930939 172.16.112.50:32898 > 196.37.75.158:8000: S 1053846751:1053846751(0) win 8760 

1999-04-06 16:08:27.931992 196.37.75.158:8000 > 172.16.112.50:32898: R 0:0(0) ack 1053846752 win 0 

1999-04-06 16:08:57.928273 172.16.112.50:32899 > 196.37.75.158:8000: S 1057776800:1057776800(0) win 8760 

1999-04-06 16:08:57.929336 196.37.75.158:8000 > 172.16.112.50:32899: R 0:0(0) ack 1057776801 win 0 

1999-04-06 16:09:27.925952 172.16.112.50:32900 > 196.37.75.158:8000: S 1061663855:1061663855(0) win 8760 

1999-04-06 16:09:27.926914 196.37.75.158:8000 > 172.16.112.50:32900: R 0:0(0) ack 1061663856 win 0 

1999-04-06 16:09:57.923243 172.16.112.50:32893 > 196.37.75.158:8000: F 1038186069:1038186069(0) ack 546627508 win 8760 

1999-04-06 16:09:57.924310 196.37.75.158:8000 > 172.16.112.50:32893: R 546627508:546627508(0) win 0 

Undocumented: Connection attempt to port 9000 CSlistener 

1999-04-06 18:51:16.975569 172.16.112.100:4549 > 209.3.209.166:9000: S 25650750:25650750(0) win 8192 
1999-04-06 18:51:16.978625 209.3.209.166:9000 > 172.16.112.100:4549: R 0:0(0) ack 25650751 win 0 

Possible Tcpreset attack: low port - low port 

1999-04-07 14:21:15.393428 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-07 14:22:19.378014 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-07 14:23:23.362619 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-07 14:24:27.356408 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-07 14:25:31.340729 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-07 14:26:35.325019 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

1999-04-07 14:27:39.309218 172.16.112.50:123 > 172.16.112.10:123: R 470091505:470091505(0) win 1 

NetBus: high port - high port 

1999-04-07 16:03:40.582138 206.48.44.18:1290 > 172.16.112.100:12345: S 16062765:16062765(0) win 8192 

1999-04-07 16:03:40.582296 172.16.112.100:12345 > 206.48.44.18:1290: S 16057937:16057937(0) ack 16062766 win 8760 

1999-04-07 16:03:40.585034 206.48.44.18:1290 > 172.16.112.100:12345: . ack 16057938 win 8760 

1999-04-07 16:04:35.056918 206.48.44.18:1292 > 172.16.112.100:12346: S 16117250:16117250(0) win 8192 

1999-04-07 16:04:35.057080 172.16.112.100:12346 > 206.48.44.18:1292: S 16112421:16112421(0) ack 16117251 win 8760 

1999-04-07 16:04:35.057919 206.48.44.18:1292 > 172.16.112.100:12346: . ack 16112422 win 8760 


Undocumented: Probe for port 8000 (HTTPtunnel?) 

1999-04-07 16:05:25.515349 172.16.112.50:32937 > 196.37.75.158:8000: S 2028664164:2028664164(0) win 8760 
1999-04-07 16:05:25.518000 196.37.75.158:8000 > 172.16.112.50:32937: R 0:0(0) ack 2028664165 win 0 
1999-04-07 16:05:55.521997 172.16.112.50:32938 > 196.37.75.158:8000: S 2032483304:2032483304(0) win 8760 
1999-04-07 16:05:55.522725 196.37.75.158:8000 > 172.16.112.50:32938: R 0:0(0) ack 2032483305 win 0 
1999-04-07 16:06:25.519367 172.16.112.50:32939 > 196.37.75.158:8000: S 2036376161:2036376161(0) win 8760 
1999-04-07 16:06:25.520056 196.37.75.158:8000 > 172.16.112.50:32939: R 0:0(0) ack 2036376162 win 0 
1999-04-07 16:06:55.516587 172.16.112.50:32940 > 196.37.75.158:8000: S 2040299031:2040299031(0) win 8760 
1999-04-07 16:06:55.517307 196.37.75.158:8000 > 172.16.112.50:32940: R 0:0(0) ack 2040299032 win 0 
1999-04-07 16:07:25.513912 172.16.112.50:32941 > 196.37.75.158:8000: S 2044219338:2044219338(0) win 8760 
1999-04-07 16:07:25.514746 196.37.75.158:8000 > 172.16.112.50:32941: R 0:0(0) ack 2044219339 win 0 
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1999-04-07 16:07:55.511653 172.16.112.50:32942 > 196.37.75.158:8000: S 2048134582:2048134582(0) win 8760 
1999-04-07 16:07:55.512441 196.37.75.158:8000 > 172.16.112.50:32942: R 0:0(0) ack 2048134583 win 0 
1999-04-07 16:08:25.508373 172.16.112.50:32943 > 196.37.75.158:8000: S 2052085791:2052085791(0) win 8760 
1999-04-07 16:08:25.509102 196.37.75.158:8000 > 172.16.112.50:32943: R 0:0(0) ack 2052085792 win 0 
1999-04-07 16:08:55.505699 172.16.112.50:32944 > 196.37.75.158:8000: S 2055974755:2055974755(0) win 8760 
1999-04-07 16:08:55.506382 196.37.75.158:8000 > 172.16.112.50:32944: R 0:0(0) ack 2055974756 win 0 
1999-04-07 16:09:25.503053 172.16.112.50:32946 > 196.37.75.158:8000: S 2059902500:2059902500(0) win 8760 
1999-04-07 16:09:25.503734 196.37.75.158:8000 > 172.16.112.50:32946: R 0:0(0) ack 2059902501 win 0 

NTinfoscan: low port - low port 

1999-04-08 15:21:28.137220 172.16.112.100:20 > 206.48.44.18:20: S 3273078:3273078(0) win 8192 
1999-04-08 15:21:28.138062 206.48.44.18:20 > 172.16.112.100:20: R 0:0(0) ack 3273079 win 0 

HTTPtunnel: high port - high port 

1999-04-08 16:04:55.437055 172.16.112.50:32935 > 196.37.75.158:8000: S 2009485840:2009485840(0) win 8760 

1999-04-08 16:04:55.437833 196.37.75.158:8000 > 172.16.112.50:32935: R 0:0(0) ack 2009485841 win 0 

1999-04-08 16:05:25.434275 172.16.112.50:32936 > 196.37.75.158:8000: S 2013381706:2013381706(0) win 8760 

1999-04-08 16:05:25.434968 196.37.75.158:8000 > 172.16.112.50:32936: R 0:0(0) ack 2013381707 win 0 

1999-04-08 16:05:55.431375 172.16.112.50:32938 > 196.37.75.158:8000: S 2017339930:2017339930(0) win 8760 

1999-04-08 16:05:55.432149 196.37.75.158:8000 > 172.16.112.50:32938: R 0:0(0) ack 2017339931 win 0 

1999-04-08 16:06:25.429153 172.16.112.50:32939 > 196.37.75.158:8000: S 2021268504:2021268504(0) win 8760 

1999-04-08 16:06:25.430145 196.37.75.158:8000 > 172.16.112.50:32939: S 782193537:782193537(0) ack 2021268505 win 32736 

1999-04-08 16:06:25.430335 172.16.112.50:32939 > 196.37.75.158:8000: . ack 782193538 win 8760 

1999-04-08 16:06:25.431504 172.16.112.50:32939 > 196.37.75.158:8000: P 2021268505:2021268541(36) ack 782193538 win 8760 
1999-04-08 16:06:25.443032 196.37.75.158:8000 > 172.16.112.50:32939: . ack 2021268541 win 32736 

1999-04-08 16:06:25.443483 172.16.112.50:32939 > 196.37.75.158:8000: P 2021268541:2021268743(202) ack 782193538 win 8760 
1999-04-08 16:06:25.445603 196.37.75.158:8000 > 172.16.112.50:32939: P 782193538:782193569(31) ack 2021268743 win 32736 
1999-04-08 16:06:25.448532 196.37.75.158:8000 > 172.16.112.50:32939: P 782193569:782194152(583) ack 2021268743 win 32736 
1999-04-08 16:06:25.448599 196.37.75.158:8000 > 172.16.112.50:32939: F 782194152:782194152(0) ack 2021268743 win 32736 
1999-04-08 16:06:25.448743 172.16.112.50:32939 > 196.37.75.158:8000: . ack 782194152 win 8760 

1999-04-08 16:06:25.448811 172.16.112.50:32939 > 196.37.75.158:8000: . ack 782194153 win 8760 

1999-04-08 16:06:25.539221 172.16.112.50:32940 > 196.37.75.158:8000: S 2021343082:2021343082(0) win 8760 

1999-04-08 16:06:25.540145 196.37.75.158:8000 > 172.16.112.50:32940: S 1449041600:1449041600(0) ack 2021343083 win 32736 

1999-04-08 16:06:25.540341 172.16.112.50:32940 > 196.37.75.158:8000: . ack 1449041601 win 8760 

1999-04-08 16:06:25.541705 172.16.112.50:32940 > 196.37.75.158:8000: P 2021343083:2021343119(36) ack 1449041601 win 8760 
1999-04-08 16:06:25.553131 196.37.75.158:8000 > 172.16.112.50:32940: . ack 2021343119 win 32736 
1999-04-08 16:06:25.553462 172.16.112.50:32940 > 196.37.75.158:8000: . ack 1449041601 win 8760 

1999-04-08 16:06:25.554693 172.16.112.50:32940 > 196.37.75.158:8000: . ack 1449041601 win 8760 

1999-04-08 16:06:25.555620 172.16.112.50:32940 > 196.37.75.158:8000: P 2021344749:2021345796(1047) ack 1449041601 win 87 
1999-04-08 16:06:25.567564 196.37.75.158:8000 > 172.16.112.50:32940: F 1449041601:1449041601(0) ack 2021345796 win 32736 

1999-04-08 16:06:25.567698 172.16.112.50:32940 > 196.37.75.158:8000: . ack 1449041602 win 8760 

1999-04-08 16:06:25.568273 172.16.112.50:32940 > 196.37.75.158:8000: F 2021345796:2021345796(0) ack 1449041602 win 8760 

1999-04-08 16:06:25.569135 196.37.75.158:8000 > 172.16.112.50:32940: . ack 2021345797 win 32735 

1999-04-08 16:06:55.565921 172.16.112.50:32941 > 196.37.75.158:8000: S 2025130416:2025130416(0) win 8760 

1999-04-08 16:06:55.566926 196.37.75.158:8000 > 172.16.112.50:32941: R 0:0(0) ack 2025130417 win 0 

1999-04-08 16:07:25.563552 172.16.112.50:32942 > 196.37.75.158:8000: S 2029151076:2029151076(0) win 8760 

1999-04-08 16:07:25.566348 196.37.75.158:8000 > 172.16.112.50:32942: R 0:0(0) ack 2029151077 win 0 

1999-04-08 16:07:55.570564 172.16.112.50:32944 > 196.37.75.158:8000: S 2033074131:2033074131(0) win 8760 

1999-04-08 16:07:55.571535 196.37.75.158:8000 > 172.16.112.50:32944: R 0:0(0) ack 2033074132 win 0 

1999-04-08 16:08:25.567783 172.16.112.50:32945 > 196.37.75.158:8000: S 2036884912:2036884912(0) win 8760 

1999-04-08 16:08:25.568768 196.37.75.158:8000 > 172.16.112.50:32945: R 0:0(0) ack 2036884913 win 0 

1999-04-08 16:08:55.565484 172.16.112.50:32946 > 196.37.75.158:8000: S 2040782008:2040782008(0) win 8760 

1999-04-08 16:08:55.566449 196.37.75.158:8000 > 172.16.112.50:32946: R 0:0(0) ack 2040782009 win 0 

1999-04-08 16:09:25.562437 172.16.112.50:32947 > 196.37.75.158:8000: S 2044583366:2044583366(0) win 8760 

1999-04-08 16:09:25.563463 196.37.75.158:8000 > 172.16.112.50:32947: R 0:0(0) ack 2044583367 win 0 

1999-04-08 16:09:55.559783 172.16.112.50:32939 > 196.37.75.158:8000: F 2021268743:2021268743(0) ack 782194153 win 8760 

1999-04-08 16:09:55.560884 196.37.75.158:8000 > 172.16.112.50:32939: R 782194153:782194153(0) win 0 

SATAN: Portscan high port - high port, sequential destination ports on one host 

1999-04-08 18:58:23.079487 209.74.60.168:11240 > 172.16.114.50:1024: S 263678194:263678194(0) win 512 

1999-04-08 18:58:23.079683 172.16.114.50:1024 > 209.74.60.168:11240: R 0:0(0) ack 263678195 win 0 


1999-04-08 18:58:31.419517 209.74.60.168:10168 > 172.16.114.50:9787: S 3116175040:3116175040(0) win 32120 
1999-04-08 18:58:31.419722 172.16.114.50:9787 > 209.74.60.168:10168: R 0:0(0) ack 3116175041 win 0 
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NTinfoscan: low port - low port 

1999-04-08 22:30:50.907190 172.16.112.100:20 > 206.48.44.18:20: S 29040578:29040578(0) win 8192 
1999-04-08 22:30:50.908086 206.48.44.18:20 > 172.16.112.100:20: R 0:0(0) ack 29040579 win 0 
1999-04-08 22:30:51.422096 172.16.112.100:20 > 206.48.44.18:20: S 29040578:29040578(0) win 8192 
1999-04-08 22:30:51.422919 206.48.44.18:20 > 172.16.112.100:20: R 0:0(0) ack 29040579 win 0 
1999-04-08 22:30:51.968878 172.16.112.100:20 > 206.48.44.18:20: S 29040578:29040578(0) win 8192 
1999-04-08 22:30:51.969796 206.48.44.18:20 > 172.16.112.100:20: R 0:0(0) ack 29040579 win 0 
1999-04-08 22:30:52.515649 172.16.112.100:20 > 206.48.44.18:20: S 29040578:29040578(0) win 8192 
1999-04-08 22:30:52.516552 206.48.44.18:20 > 172.16.112.100:20: R 0:0(0) ack 29040579 win 0 


DRDC Ottawa TM 2004-208 


39 




Annex E 

Summary of Sequence Classifier Results 


The Sequence classifier uses the TCP flags, TCP sequence number and TCP ac¬ 
knowledgement number attributes to discover: 

• SEQ=ACK=0 and not R or RA 


FIN scan: 
1999-04-05 

1999-04-05 


13:43:08.073616 208.240.124.83:43170 > 172.16.112.50:3: F 0:0(0) 
13:46:50.927546 208.240.124.83:62309 > 172.16.112.50:9: F 0:0(0) 


win 2048 
win 2048 


FIN scan: 


1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 

1999-04-07 


16:37:05.119686 

16:37:11.119509 

16:38:11.212840 

16:39:11.271440 

16:40:11.330299 

16:41:11.398469 

16:42:11.476742 

16:43:11.555454 

16:43:17.563378 

16:44:23.701950 

16:45:24.019973 

16:45:30.025698 

16:46:36.147226 


204.97.153.43:33731 

204.97.153.43:33732 

204.97.153.43:48334 

204.97.153.43:36206 

204.97.153.43:34897 

204.97.153.43:44837 

204.97.153.43:57319 

204.97.153.43:42505 

204.97.153.43:42506 

204.97.153.43:47885 

204.97.153.43:47234 

204.97.153.43:47235 

204.97.153.43:53912 


> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 


172.16.114.50:1: 

172.16.114.50:1: 

172.16.114.50:2: 

172.16.114.50:3: 

172.16.114.50:4: 

172.16.114.50:5: 

172.16.114.50:6: 

172.16.114.50:7: 

172.16.114.50:7: 

172.16.114.50:8: 

172.16.114.50:9: 

172.16.114.50:9: 

172.16.114.50:10: 


F 

0 

0(0) 

win 

3072 

F 

0 

0(0) 

win 

3072 

F 

0 

0(0) 

win 

4096 

F 

0 

0(0) 

win 

1024 

F 

0 

0(0) 

win 

4096 

F 

0 

0(0) 

win 

3072 

F 

0 

0(0) 

win 

4096 

F 

0 

0(0) 

win 

2048 

F 

0 

0(0) 

win 

2048 

F 

0 

0(0) 

win 

4096 

F 

0 

0(0) 

win 

4096 

F 

0 

0(0) 

win 

4096 


F 0:0(0) win 4096 
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Annex F 
ACRONYMS 


ANN 

Artificial Neural Network 

CGI 

Common Gateway Interface 

DARPA 

Defense Advanced Research Projects Agency 

DDoS 

Distributed Denial of Service 

DoS 

Denial of Service 

DNS 

Domain Name System 

DREnet 

Defence Research Establishment Network 

ECN 

Explicit Congestion Control 

FQDN 

Fully Qualified Domain Name 

FTP 

File Transfer Protocol 

HTML 

HyperText Markup Language 

HTRQ 

Hypertext Request 

HTTP 

Hypertext Transfer Protocol 

ID 

Intrusion Detection 

IDS 

Intrusion Detection System 

IP 

Internet Protocol 

ISN 

The Initial Sequence Number 

IPS 

Intrusion Prevention System 

MSE 

Mean Square Error 

NE 

Network Element 

NTA 

Network Traffic Analysis 

OS 

Operating System 

SMTP 

Simple Mail Transfer Protocol 

TCP 

Transmission Control Protocol 

UDP 

User Datagram Protocol 

UI 

User Interface 

URL 

Uniform Resource Locator 

WWW 

World Wide Web 
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